Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information. Microsoft confirmed that due to misconfigured security rules added to the server in question on December 5, 2019, enabled exposure of the data, which remained the same until engineers remediated the configuration on December 31, 2019.
Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information." While most of the records stored within the heavily-redacted internal customer support database used for support case analytics did not contain personal information, some non-standard PII wasn't anonymized. For instance, email addresses separated with spaces like 'username @ domain.com' instead of 'username@domain.com' were left untouched by Microsoft's automated PII redaction tools. |
As a result of the incident, Microsoft says it is taking steps to better lock down its use of cloud-based databases. For example, the company has pledged to improve auditing of its security rules for internal resources as well as to expand the scope of tools it uses to search for any security rule misconfigurations. The company says it will also expand its alerting systems to try and sound red alerts whenever security rule misconfigurations occur. |